[go: up one dir, main page]

WO2008022514A1 - Method, system and apparatus for user access authentication - Google Patents

Method, system and apparatus for user access authentication Download PDF

Info

Publication number
WO2008022514A1
WO2008022514A1 PCT/CN2007/001228 CN2007001228W WO2008022514A1 WO 2008022514 A1 WO2008022514 A1 WO 2008022514A1 CN 2007001228 W CN2007001228 W CN 2007001228W WO 2008022514 A1 WO2008022514 A1 WO 2008022514A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
authentication
network side
random number
user password
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2007/001228
Other languages
French (fr)
Chinese (zh)
Inventor
Hongguang Guan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2008022514A1 publication Critical patent/WO2008022514A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]

Definitions

  • the present invention relates to network security authentication technologies, and in particular, to a method, system and device for user access authentication.
  • the main access authentication technologies mainly have the following three types: Ethernet point-to-point protocol
  • PPPoE is similar to the traditional dial-up access method. It is an extension of the traditional public switched telephone network (PSTN) narrowband dial-up access technology in Ethernet access technology. It is consistent with the original narrowband network user access authentication system. . Since PPPoE encapsulates each IP packet in an Ethernet frame, once the number of users increases or the IP packet increases, the encapsulation speed must not keep up, which becomes a network bottleneck. Moreover, the PPPoE access mode is not conducive to the development of multicast services, and most of the video services are based on multicast. In addition, the PPPoE access method requires the operator to provide client terminal software, and the maintenance workload is too large.
  • PSTN public switched telephone network
  • DHCP+Web authentication requires a DHCP server to work with a web server.
  • the user first obtains an IP address through the DHCP server and uses this IP address to communicate with the Web server.
  • the Broadband Remote Access Server (BRAS) forces the user to connect to the Web server and pops up the authentication page in the browser. On this page, the user enters the account number and password; the BRAS receives the user's information, checks the legality of the user, and authenticates the user to the AAA server; after the authentication is passed, the user can obtain the user's A new legal IP address allows users to access the external Internet or specific network services.
  • BRAS Broadband Remote Access Server
  • the DHCP + Web authentication method can realize more value-added services and can be well-off. Support for multicast services.
  • the IP address is allocated before the user authentication, which causes a waste of the IP address, and there is no unified standard for the DHCP+Web authentication method.
  • the 802. lx technology is a port-based authentication technology.
  • the authentication phase uses the Extended Authentication Protocol (EAP) packet.
  • the EAP packet is an extension of the PPP packet.
  • the authentication phase is similar to the PPPoE mode.
  • the authentication process is as follows: The user initiates authentication by using the EAP over LAN (EAPL) packet through the 802.1x client software.
  • the switch terminates the EAPoL packet and forwards the EAP packet to the authentication server.
  • the DHCP server is configured.
  • the user assigns an IP address, and the user controlled port is opened, allowing the user to communicate normally.
  • the 802.1x authentication method solves the problems of PPPoE and DHCP + Web authentication methods, the 802.
  • the lx authentication method requires specific client software, and 802.1x does not currently have a standard client. Different vendors have different client programs, so the workload is maintained.
  • the 802.1x protocol is a Layer 2 protocol, it is only responsible for the authentication control of the user port. After the port authentication is completed, the user needs to continue to solve the user IP address allocation and the Layer 3 network after entering the Layer 3 IP network. Security and other issues, therefore, the Ethernet switch + 802.1X alone, can not fully solve the problems of the operational, manageable and access security of the Ethernet access of the metropolitan area network.
  • the prior art also provides an authentication method for implementing user access through a DHCP protocol.
  • the process is as follows:
  • the client device generates a password based on the password and the session parameters (generated by the client device) Certificate ( certificate ).
  • the client device establishes a DHCP Discover message and sends it to the authentication device.
  • the message includes the user identifier, the session parameter, and the certificate generated in step (1).
  • the authentication device generates a verification certificate based on the received session parameters and associated passwords.
  • the user equipment itself selects the session parameters used to generate the certificate, and this method cannot effectively prevent the retransmission attack.
  • the attacker intercepts the DHCP Discover message sent by the client and then resends it, the attacker can obtain the authorized address and access the network smoothly.
  • Embodiments of the present invention provide a method, system, and apparatus for user access authentication to enhance the security of user authentication.
  • the user access authentication method of the embodiment of the present invention uses the IP address allocated by the dynamic host configuration protocol DHCP server to access the network, including: the user end obtains the encrypted information from the network side;
  • the user end encrypts the user password by using the encrypted information, and transmits the encrypted user password to the network side;
  • the network side authenticates the client according to the encrypted information and a pre-stored user password.
  • a user access authentication system includes:
  • the network side device is configured to send a random number, and perform authentication on the user equipment according to the random number and the encryption algorithm, and after the authentication is passed, assign an IP address to the user equipment;
  • the user equipment adds the user password by using the random number delivered by the network side device.
  • the encrypted user password is transmitted to the network side device, and after the authentication is passed, the IP address assigned by the network side is used to access the network.
  • a network side device including:
  • the address allocation module allocates an IP address to the client after the user end authenticates.
  • the embodiment of the invention encrypts the user password by using the encrypted information generated by the network side, so that the password transmission is more secure; no special client software is needed, as long as the DHCP protocol is supported; and the user is assigned an IP address after the authentication, It avoids the waste of IP address; implements user authentication on the network layer to ensure the security of the three-layer network.
  • FIG. 1 is a schematic diagram of a process of user access authentication in an embodiment of the present invention.
  • FIG. 2 is a schematic diagram of a process for implementing strong authentication according to an embodiment of the present invention.
  • the embodiment of the present invention obtains the encrypted information, such as a random number, a key or a certificate, from the network side when the user requests the IP address, and the user encrypts the user password by using the encrypted information, and
  • the encrypted user password is transmitted to the network side, and the network side uses the above-mentioned encrypted information and a pre-stored user password to authenticate the user.
  • the user password is encrypted by using the encrypted information sent by the user on the network side.
  • the same encryption information is used to authenticate the user on the network side.
  • the IP address assigned by the DHCP server on the network side can be used.
  • the wave of the IP address Fees, and make password delivery more secure.
  • the following describes an embodiment of the present invention by taking the encrypted information as a random number as an example.
  • the random number can be generated by a Network Access Server (NAS), an Authentication Authorization Accounting Server (AAA Server), or a DHCP server on the network side and provided to the user through a DHCP server.
  • the encryption algorithm used may be set in advance on the user side and the network side, that is, set to the same encryption algorithm, such as the HMAC-MD5 algorithm, or may be negotiated between the user end and the network side.
  • the user access authentication process in the embodiment of the present invention is described in detail below.
  • FIG. 1 is a schematic diagram of a user access authentication process according to an embodiment of the present invention.
  • a random number such as a challenge word (Challenge Id)
  • an encryption algorithm is negotiated between a client and an AAA server.
  • the process of Layer 3 authentication through the DHCP protocol when the user equipment is started for the first time includes:
  • Step 101 The client device, that is, the DHCP client, prompts the user to input a username and a password. For example, the user may be prompted to input a username and password by using a pop-up window or voice on the DHCP client.
  • Step 102 The DHCP client sends a DHCP Discover message to the NAS, where the user identifier and the user's request for the encryption algorithm are carried.
  • the user identifier is used to uniquely identify the user, and may be a username, a MAC address, or the like.
  • the user's request for the encryption algorithm may be an encryption algorithm supported by the user. If the DHCP client does not need to negotiate an encryption algorithm with the AAA server, the DHCP Discover message does not need to carry the user's request for the encryption algorithm.
  • the encryption algorithm requested by the user may be HMAC-MD5 or other algorithms (such as HMAC-SHA algorithm), or multiple encryption algorithms to be selected by the AAA server.
  • Step 103 After receiving the DHCP Discover message, the NAS first caches the DHCP Discover message, and then sends a Challenge Id request message to the AAA server, requesting one. Challenge Id, and negotiate encryption algorithm with AAA server.
  • the Challenge Id request message includes a user's request for an encryption algorithm, that is, one or more encryption algorithms supported by the user that can be used to encrypt the user's password.
  • Step 104 After receiving the Challenge Id request message, the AAA server allocates a Challenge Id to the user, establishes a binding relationship between the Challenge Id and the user, and simultaneously encrypts the user password supported by the user.
  • One or more encryption algorithms select one of the user-available encryption algorithms (such as HMAC-MD5), and return a Challenge Id response message to the NAS, which includes the assigned Challenge Id and the selected encryption algorithm (HMAC-MD5).
  • Step 105 After receiving the Challenge Id response message of the AAA server, the NAS obtains the assigned Challenge Id and the selected encryption algorithm from the Challenge Id response message, and uses the Challenge Id and the selected encryption algorithm as relay agent information options (The Relay Agent Information Option is added to the cached DHCP Discover message and sent to the DHCP server.
  • the Relay Agent Information Option is added to the cached DHCP Discover message and sent to the DHCP server.
  • Step 106 After receiving the DHCP Discover message, the DHCP server selects an IP address in the address pool according to the user identifier (in IPv4, only one IP address is assigned, but in IPv6, it is not limited to one IP address), and The Relay Agent Information Option of the DHCP Discover message acquires the Challenge Id and the selected encryption algorithm, and then sends a DHCP Offer message to the NAS, the message including the selected IP address, Challenge Id, and the selected encryption algorithm.
  • Step 107 The NAS forwards the DHCP Offer message to the DHCP client.
  • Step 108 After receiving the DHCP Offer message, the DHCP client obtains the Challenge Id and the selected encryption algorithm from the DHCP Offer message, and encrypts the user password by using the Challenge Id and the selected encryption algorithm, and sends a DHCP Request message to the NAS. , which carries the user ID, Challenge Id, and encrypted user password.
  • Step 110 After receiving the authentication request message, the AAA server searches for a user password corresponding to the user identifier in the database according to the user identifier. If a matching user password is found, the AAA server encrypts the found user password using the Challenge Id in the authentication request and the selected encryption algorithm; if the AAA server calculates the encrypted user password and the encryption carried in the authentication request message If the user password is the same, the authentication is passed, otherwise the authentication fails. If the authentication is successful, the AAA server sends an authentication success message to the NAS; otherwise, the process ends.
  • Step 111 After receiving the authentication success message, the NAS forwards the cached DHCP Request message to the DHCP server.
  • Step 112 After receiving the DHCP Request message, the DHCP server confirms the address allocation and parameter configuration, and returns a DHCP acknowledgement message (DHCP Ack) to the NAS, indicating that the user is allowed to use the allocated address.
  • DHCP Ack DHCP acknowledgement message
  • Step 113 The NAS forwards the DHCP Ack message to the DHCP client.
  • Step 114 The DHCP client receives the DHCP Ack message and successfully accesses the network.
  • the negotiation of the encryption algorithm between the DHCP client and the AAA server is an optional process, and the encryption algorithm may be directly notified by the AAA server or one of the DHCP clients to the other party without negotiation. , but not limited to this.
  • the encryption algorithm used by the AAA server is directly notified by the DHCP client, the user-supported encryption algorithm or the selected encryption algorithm need not be carried in steps 102-107, and the Challenge Id and the user may be utilized in step 108.
  • Pre-configured plus The secret algorithm encrypts the user password and notifies the AAA server of the adopted encryption algorithm through the DHCP Request message.
  • the Challenge Id may be generated by the AAA server or by the NAS or the DHCP server.
  • steps 103 and 104 may be used only for negotiation of the encryption algorithm without having to request Challenge Id from the AAA server.
  • the Challenge Id is allocated to the user by the NAS, and the binding relationship between the Challenge Id and the user is established, and the Challenge Id is carried in the DHCP Discover message and sent to the DHCP server. If the encryption algorithm negotiation is not required between the DHCP client and the AAA server, steps 103 and 104 can be omitted directly.
  • the DHCP Offer message carries the Challenge Id generated by the DHCP server in step 106, and the Challenge Id does not need to be generated and carried in steps 101-105. If the encryption algorithm negotiation is not required between the DHCP client and the AAA server, steps 103 and 104 can be omitted directly. There are other forms as well.
  • the security problem when transmitting the password is solved.
  • the user can only pass the authentication of the authentication server according to the Challenge Id that is returned by the DHCP server and bound by the user and encrypted by the encryption algorithm. After the authentication is passed, the user can actually assign the IP address. Therefore, even if the attacker intercepts the DHCP Discover message sent by the client, since the Challenge Id is allocated by the network side, the attacker cannot check the binding between the Challenge Id and the user, so it can effectively prevent the retransmission attack.
  • Step 115 The user obtains a key (including a shared key or other key) or a certificate from the network side through a network (such as Web, FTP, or other means), and establishes the key (or certificate) and the user on the network side. Binding relationship, so that after the DHCP client restarts (for example, shutdown and restart), the three-layer authentication process can be performed through the key or certificate.
  • a network such as Web, FTP, or other means
  • encryption is used (such as HMAC-MD5 algorithm, but not limited to this), encryption is a weak authentication method, and users can directly configure (or other out-of-band methods) or extend the authentication protocol before the first startup. EAP and other methods obtain a certificate or key from the network side to achieve strong authentication. ,
  • the process of performing strong authentication by using a certificate or a key through DHCP in the embodiment of the present invention is as shown in FIG. 2, and includes:
  • Step 201 The user equipment (that is, the DHCP client) obtains the user name and password of the user by using a user input manner, for example, by popping up a window on the user equipment, prompting the user to input the user name and password, and of course, other alternative methods may also be adopted. .
  • Step 202 The DHCP client broadcasts a DHCP Discover message, where the message carries the user identifier and the user password encrypted by the key (or certificate).
  • the key (or certificate) may be obtained through the network (Web, FTP, etc.) after the user successfully accesses the network, or may be configured (or other out-of-band method) or extended authentication protocol EAP directly before the first startup.
  • the mode is obtained from the network side, and the network side allocates a key (or a certificate) to the user and establishes a binding relationship between the key (or certificate) and the user.
  • Step 203 After receiving the DHCP Discover message, the NAS caches the message, obtains the user identifier and the encrypted user password from the DHCP Discover, and sends an authentication request message to the AAA server, where the user identifier and the encrypted user password are carried.
  • Step 204 The AAA server receives the authentication request message, extracts the user identifier and the encrypted user password from the authentication request message, and then decrypts the encrypted user password according to the key corresponding to the user in the AAA server, and simultaneously decrypts the encrypted user password. Find users in the database Password, judge whether the decrypted user password and the found user password are the same. If they are the same, the authentication is successful, otherwise the authentication fails.
  • Step 205 If the authentication is successful, the NAS forwards the cached DHCP Discover message to the DHCP server.
  • Step 206 The DHCP server receives the DHCP Discover message and returns a DHCP Offer message.
  • Step 207 The NAS forwards the DHCP Offer message to the DHCP client.
  • Step 208 The DHCP client receives and processes the DHCP Offer message, and returns a DHCP Request message.
  • Step 209 The NAS forwards the DHCP Request message to the DHCP server.
  • Step 210 The DHCP server receives and processes the DHCP Request message, and returns a DHCP Ack message.
  • Step 211 The NAS forwards the DHCP Ack message to the DHCP client.
  • Step 212 The DHCP client receives the DHCP Ack message and successfully accesses the network.
  • the user can directly encrypt the user password by using a key or a certificate, and then the AAA server searches for the corresponding key or certificate to decrypt the encrypted user password, and determines the decrypted user password and the saved user password. Whether it is the same to achieve the authentication of the user.
  • the key or the certificate can be obtained by the user after the user successfully accesses the network, or can be obtained before the authentication by using the configuration mode (or other out-of-band method) or EAP mode. This method can authenticate the user by decrypting the user password by using the key or certificate corresponding to the user in the AAA server, so that the attack of the illegal user can be effectively prevented.
  • the user authentication process in the above embodiments is applicable not only to DHCPv4 authentication, but also to DHCPv6 authentication.
  • the embodiment of the invention encrypts the user password by using the random number assigned by the network side, so that the password transmission is more secure; no special client software is needed, as long as the DHCP protocol is supported; the IP address is assigned after the authentication, and the IP address is avoided. Waste; implement user authentication on the network layer; the authentication server has a binding relationship between the user and the key (or certificate). The illegal user cannot obtain the correct key (or certificate), and thus cannot pass the authentication, which can effectively prevent illegal. User's attack.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for user access authentication, a dynamic host configuration protocol (DHCP) server distributing IP addresses to the authorized users, includes: users getting encrypting information from the network; the users encrypting their passwords with the encrypting information, and then sending the encrypted passwords to the network; the network authenticating the users in accordance with the encrypting information and the prestoring passwords. A system and an apparatus for user access authentication are also provided in present invention. This application can make the sending of passwords safer, prevent the waste of IP addresses, and effectively avoid the attack of unauthorized users.

Description

一种用户接入认证的方法、 系统及装置 技术领域  Method, system and device for user access authentication

本发明涉及网络安全认证技术, 特别涉及一种用户接入认证的方 法、 系统及装置。  The present invention relates to network security authentication technologies, and in particular, to a method, system and device for user access authentication.

发明背景 Background of the invention

目前主要的接入认证技术主要有以下三种: 以太网点对点协议 At present, the main access authentication technologies mainly have the following three types: Ethernet point-to-point protocol

( Point-to-Point Protocol over Ethernet, PPPoE ), 动态主机配置1"办议 ( Dynamic Host Configuration Protocol, DHCP ) +Web以及 ΙΕΕΕ802.1χο 以下分别对这三种认证方式进行简单说明。 (Point-to-Point Protocol over Ethernet, PPPoE), Dynamic Host Configuration Protocol (DHCP) + Web and ΙΕΕΕ802.1χ ο These three authentication methods are briefly described below.

(一) PPPoE  (1) PPPoE

PPPoE类似于传统的拨号接入方式,是传统公共交换电话网(Public Switched Telephone Network, PSTN )窄带拨号接入技术在以太网接入技 术的延伸, 它和原有窄带网络用户接入认证体系一致。 由于 PPPoE对每 —个 IP包都要封装在以太网帧内, 一旦用户增多或者 IP包增大, 封装 速度必然跟不上, 成为了网络瓶颈。 而且, PPPoE接入方式不利于开展 组播业务, 而视频业务大部分是基于组播的。 另外, PPPoE接入方式需 要运营商提供客户终端软件, 维护工作量过大。  PPPoE is similar to the traditional dial-up access method. It is an extension of the traditional public switched telephone network (PSTN) narrowband dial-up access technology in Ethernet access technology. It is consistent with the original narrowband network user access authentication system. . Since PPPoE encapsulates each IP packet in an Ethernet frame, once the number of users increases or the IP packet increases, the encapsulation speed must not keep up, which becomes a network bottleneck. Moreover, the PPPoE access mode is not conducive to the development of multicast services, and most of the video services are based on multicast. In addition, the PPPoE access method requires the operator to provide client terminal software, and the maintenance workload is too large.

(二) DHCP+Web  (2) DHCP+Web

DHCP+Web认证需要 DHCP服务器和 Web服务器配合使用。 用户首 先通过 DHCP服务器得到一个 IP地址, 使用这个 IP地址与 Web服务器 通信; 宽带远程接入服务器(Broadband Remote Access Server, BRAS ) 将用户强制连接到 Web服务器上, 并在浏览器中弹出认证页面。在该页 面中, 用户输入帐号和密码; BRAS收到用户的信息, 对用户的合法性 进行检查, 到 AAA服务器对用户进行认证; 认证通过后, 用户可以获 得新的合法的 IP地址, 使得用户可以访问外部因特网或特定的网絡服 务。 DHCP+Web authentication requires a DHCP server to work with a web server. The user first obtains an IP address through the DHCP server and uses this IP address to communicate with the Web server. The Broadband Remote Access Server (BRAS) forces the user to connect to the Web server and pops up the authentication page in the browser. On this page, the user enters the account number and password; the BRAS receives the user's information, checks the legality of the user, and authenticates the user to the AAA server; after the authentication is passed, the user can obtain the user's A new legal IP address allows users to access the external Internet or specific network services.

这种方式使认证和业务流实现了分离,并可以方便地利用 Web服务 器推出增值业务, 对用户进行业务宣传及业务引导, DHCP + Web 的认 证方式可以实现较多的增值业务, 同时可以艮好的支持组播业务。但是, 在 DHCP + Web的认证方式中, IP地址的分配在用户认证前, 这会造成 IP地址的浪费, 而且 DHCP+Web的认证方式目前没有统一的标准。  In this way, authentication and service flow are separated, and the value-added service can be easily launched by using the Web server to promote the service and guide the user. The DHCP + Web authentication method can realize more value-added services and can be well-off. Support for multicast services. However, in the DHCP + Web authentication mode, the IP address is allocated before the user authentication, which causes a waste of the IP address, and there is no unified standard for the DHCP+Web authentication method.

(三) IEEE802.1X  (3) IEEE802.1X

802. lx技术是基于端口的认证技术, 其认证阶段采用扩展认证协议 ( Extended Authentication Protocol, EAP )报文, EAP报文是 PPP 艮文 的扩展,其认证阶段与 PPPoE方式类似。其认证过程为:用户通过 802.1x 客户端软件采用基于局域网的 EAP ( EAP over LAN, EAPoL )报文发起 认证, 交换机终结 EAPoL报文并向认证服务器转发 EAP报文, 认证通 过后, DHCP服务器为用户分配 IP地址, 用户受控端口打开, 允许用户 正常通信。 虽然 802.1x认证方式解决了 PPPoE和 DHCP + Web认证方 式的问题, 但是 802. lx认证方式需要特定客户端软件, 而 802.1x 目前 没有标准的客户端, 不同厂商客户端程序不同, 因此维护工作量较大; 另外, 由于 802.1x协议是一个 2层协议, 只负责完成对用户端口的认证 控制, 对于完成端口认证后, 用户进入三层 IP网络后, 需要继续解决用 户 IP地址分配、三层网络安全等问题,因此,单靠以太网交换机 + 802.1X, 无法全面解决城域网以太接入的可运营、 可管理以及接入安全性等方面 的问题。  802. lx technology is a port-based authentication technology. The authentication phase uses the Extended Authentication Protocol (EAP) packet. The EAP packet is an extension of the PPP packet. The authentication phase is similar to the PPPoE mode. The authentication process is as follows: The user initiates authentication by using the EAP over LAN (EAPL) packet through the 802.1x client software. The switch terminates the EAPoL packet and forwards the EAP packet to the authentication server. After the authentication is passed, the DHCP server is configured. The user assigns an IP address, and the user controlled port is opened, allowing the user to communicate normally. Although the 802.1x authentication method solves the problems of PPPoE and DHCP + Web authentication methods, the 802. lx authentication method requires specific client software, and 802.1x does not currently have a standard client. Different vendors have different client programs, so the workload is maintained. In addition, because the 802.1x protocol is a Layer 2 protocol, it is only responsible for the authentication control of the user port. After the port authentication is completed, the user needs to continue to solve the user IP address allocation and the Layer 3 network after entering the Layer 3 IP network. Security and other issues, therefore, the Ethernet switch + 802.1X alone, can not fully solve the problems of the operational, manageable and access security of the Ethernet access of the metropolitan area network.

另外,现有技术中还提供了一种通过 DHCP协议实现用户接入的认 证方法。 处理过程如下:  In addition, the prior art also provides an authentication method for implementing user access through a DHCP protocol. The process is as follows:

(1)用户端设备基于密码和会话参数 (由用户端设备产生)生成一个 证书 ( certificate )。 (1) The client device generates a password based on the password and the session parameters (generated by the client device) Certificate ( certificate ).

(2)用户端设备组建 DHCP Discover消息发给认证设备, 消息中包含 用户标识符、 会话参数以及步驟(1 ) 中产生的 certificate。  (2) The client device establishes a DHCP Discover message and sends it to the authentication device. The message includes the user identifier, the session parameter, and the certificate generated in step (1).

(3)认证设备基于接收到的会话参数和相关的密码产生一个验证 certificate。  (3) The authentication device generates a verification certificate based on the received session parameters and associated passwords.

(4)比较接收的 certificate和睑证 certificate, 如果相同, 则认为认证 通过。  (4) Compare the received certificate with the certificate. If they are the same, the certificate is considered to have passed.

在该方法中, 是由用户设备自己选择用于产生 certificate 的会话参 数的, 这种方法无法有效地防止重发攻击。 攻击者只要截取用户端发出的 DHCP Discover消息,然后重新发送,就可以通过认证,获得授权的地址, 顺利地接入网络。  In this method, the user equipment itself selects the session parameters used to generate the certificate, and this method cannot effectively prevent the retransmission attack. As long as the attacker intercepts the DHCP Discover message sent by the client and then resends it, the attacker can obtain the authorized address and access the network smoothly.

发明内容 Summary of the invention

本发明实施例提供了一种用户接入认证的方法、 系统及装置, 以增 强用户认证的安全性。  Embodiments of the present invention provide a method, system, and apparatus for user access authentication to enhance the security of user authentication.

本发明实施例的一种用户接入认证方法 , 在用户端认证通过后, 使 用动态主机配置协议 DHCP服务器分配的 IP地址接入网络, 包括: 用户端从网络侧获取加密信息;  The user access authentication method of the embodiment of the present invention, after the user end passes the authentication, uses the IP address allocated by the dynamic host configuration protocol DHCP server to access the network, including: the user end obtains the encrypted information from the network side;

用户端使用所述加密信息对用户密码进行加密运算, 并将加密后的 用户密码传送至网络侧;  The user end encrypts the user password by using the encrypted information, and transmits the encrypted user password to the network side;

网络侧根据所述加密信息和预先存储的用户密码对所述用户端进 行认证。  The network side authenticates the client according to the encrypted information and a pre-stored user password.

一种用户接入认证系统, 包括:  A user access authentication system includes:

网络侧设备, 用于下发随机数, 并根据所述随机数和加密算法对用 户端设备进行认证, 认证通过后, 为用户端设备分配 IP地址;  The network side device is configured to send a random number, and perform authentication on the user equipment according to the random number and the encryption algorithm, and after the authentication is passed, assign an IP address to the user equipment;

用户端设备, 使用所述网络侧设备下发的随机数对用户密码进行加 密, 并将加密后的用户密码传送至网络侧设备, 并在认证通过后, 使用 网络侧分配的 IP地址接入网络。 The user equipment adds the user password by using the random number delivered by the network side device. The encrypted user password is transmitted to the network side device, and after the authentication is passed, the IP address assigned by the network side is used to access the network.

一种网络侧设备, 包括:  A network side device, including:

加密信息下发模块, 向用户端下发用于对所述用户端进行接入认证 的加密信息;  Encrypting the information sending module, and sending, to the user end, the encrypted information used for access authentication of the user end;

地址分配模块, 在用户端认证通过后, 为所述用户端分配 IP地址。 本发明实施例采用网络侧产生的加密信息对用户密码进行加密, 使 密码传递更为安全; 不需要特殊的客户端软件, 只要支持 DHCP协议就 可以; 并且在认证以后才为用户分配 IP地址, 避免了 IP地址的浪费; 在网络层上实现用户认证, 保证了三层网络的安全。  The address allocation module allocates an IP address to the client after the user end authenticates. The embodiment of the invention encrypts the user password by using the encrypted information generated by the network side, so that the password transmission is more secure; no special client software is needed, as long as the DHCP protocol is supported; and the user is assigned an IP address after the authentication, It avoids the waste of IP address; implements user authentication on the network layer to ensure the security of the three-layer network.

附图简要说明 BRIEF DESCRIPTION OF THE DRAWINGS

图 1为本发明实施例中用户接入认证的过程示意图。  FIG. 1 is a schematic diagram of a process of user access authentication in an embodiment of the present invention.

图 2为本发明实施例的实现强认证的过程示意图。  FIG. 2 is a schematic diagram of a process for implementing strong authentication according to an embodiment of the present invention.

实施本发明的方式 Mode for carrying out the invention

为使本发明的技术方案和优点更加清楚, 下面结合附图对本发明的 具体实施例进行详细说明。  In order to make the technical solutions and advantages of the present invention more clear, the specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

为了解决在传送用户密码时的安全问题, 本发明实施例在用户请求 IP地址时从网络侧获取加密信息, 如随机数、 密钥或证书等, 用户利用 加密信息对用户密码进行加密运算, 并将加密后的用户密码传送至网络 侧, 网络侧使用上述加密信息和预先存储的用户密码实现对用户的认 证。  In order to solve the security problem when the user password is transmitted, the embodiment of the present invention obtains the encrypted information, such as a random number, a key or a certificate, from the network side when the user requests the IP address, and the user encrypts the user password by using the encrypted information, and The encrypted user password is transmitted to the network side, and the network side uses the above-mentioned encrypted information and a pre-stored user password to authenticate the user.

通过使用网络侧为用户下发的加密信息来对用户密码进行加密运 算, 在网络侧使用同样的加密信息对用户进行认证, 用户认证成功之后 才可以使用网络侧的 DHCP服务器分配的 IP地址, 避免了 IP地址的浪 费, 并能使密码传递更为安全。 The user password is encrypted by using the encrypted information sent by the user on the network side. The same encryption information is used to authenticate the user on the network side. After the user authentication succeeds, the IP address assigned by the DHCP server on the network side can be used. The wave of the IP address Fees, and make password delivery more secure.

下面以加密信息为随机数为例对本发明实施例进行说明。 随机数可 以由网络侧的网络接入服务器( Network Access Server, NAS )、 认证服 务器 ( Authentication Authorization Accounting Server, AAA Server )或 DHCP 服务器产生, 并通过 DHCP服务器提供给用户。 所采用的加密算法可以预 先在用户端和网络侧进行设置,即设置为同一种加密算法,如 HMAC—MD5 算法, 也可以由用户端和网絡侧进行协商确定。 下面对本发明实施例的 用户接入认证过程进行详细描述。  The following describes an embodiment of the present invention by taking the encrypted information as a random number as an example. The random number can be generated by a Network Access Server (NAS), an Authentication Authorization Accounting Server (AAA Server), or a DHCP server on the network side and provided to the user through a DHCP server. The encryption algorithm used may be set in advance on the user side and the network side, that is, set to the same encryption algorithm, such as the HMAC-MD5 algorithm, or may be negotiated between the user end and the network side. The user access authentication process in the embodiment of the present invention is described in detail below.

图 1为本发明实施例的用户接入认证过程示意图, 在本实施例中, 由 AAA服务器产生随机数, 如挑战字 (Challenge Id ), 并在用户端和 AAA服务器之间进行加密算法的协商。在用户端设备第一次启动时,通 过 DHCP协议进行三层认证的过程包括:  FIG. 1 is a schematic diagram of a user access authentication process according to an embodiment of the present invention. In this embodiment, a random number, such as a challenge word (Challenge Id), is generated by an AAA server, and an encryption algorithm is negotiated between a client and an AAA server. . The process of Layer 3 authentication through the DHCP protocol when the user equipment is started for the first time includes:

步骤 101 , 用户端设备, 即 DHCP客户端, 提示用户输入用户名和 密码,如可通过在 DHCP客户端上弹出窗口或语音等其他方式提示用户 输入用户名和密码。  Step 101: The client device, that is, the DHCP client, prompts the user to input a username and a password. For example, the user may be prompted to input a username and password by using a pop-up window or voice on the DHCP client.

步骤 102, DHCP客户端向 NAS发送 DHCP Discover消息, 其中携 带有用户标识和用户对加密算法的请求。 所述用户标识用于唯一地标识 用户, 可以是用户名, 也可以是 MAC地址等。 所述用户对加密算法的 请求可以为用户支持的加密算法。 如果 DHCP客户端不需要和 AAA服 务器协商加密算法, 则所述 DHCP Discover消息中就不需要携带用户对 加密算法的请求。用户所请求的加密算法可以是 HMAC—MD5或其他算法 (如 HMAC— SHA等算法), 也可以是多种加密算法, 以由 AAA服务器 进行选择。  Step 102: The DHCP client sends a DHCP Discover message to the NAS, where the user identifier and the user's request for the encryption algorithm are carried. The user identifier is used to uniquely identify the user, and may be a username, a MAC address, or the like. The user's request for the encryption algorithm may be an encryption algorithm supported by the user. If the DHCP client does not need to negotiate an encryption algorithm with the AAA server, the DHCP Discover message does not need to carry the user's request for the encryption algorithm. The encryption algorithm requested by the user may be HMAC-MD5 or other algorithms (such as HMAC-SHA algorithm), or multiple encryption algorithms to be selected by the AAA server.

步骤 103 , NAS接收到 DHCP Discover消息后,首先缓存 DHCP Discover消息, 然后向 AAA服务器发送 Challenge Id请求消息,请求一 个 Challenge Id, 并与 AAA服务器协商加密算法。 该 Challenge Id请求 消息中包含用户对加密算法的请求, 即用户支持的可用于对用户密码进 行加密的一个或多个加密算法。 Step 103: After receiving the DHCP Discover message, the NAS first caches the DHCP Discover message, and then sends a Challenge Id request message to the AAA server, requesting one. Challenge Id, and negotiate encryption algorithm with AAA server. The Challenge Id request message includes a user's request for an encryption algorithm, that is, one or more encryption algorithms supported by the user that can be used to encrypt the user's password.

步骤 104, AAA服务器接收到所述 Challenge Id请求消息后, 为用 户分配一个 Challenge Id,并建立该 Challenge Id和该用户之间的绑定关系, 同时从用户支持的可用于对用户密码进行加密的一个或多个加密算法中 选择一个用户可用的加密算法(如 HMAC— MD5 ), 并返回 Challenge Id 应答消息至 NAS , 其中包含所分配的 Challenge Id 和选择的加密算法 ( HMAC—MD5 )。  Step 104: After receiving the Challenge Id request message, the AAA server allocates a Challenge Id to the user, establishes a binding relationship between the Challenge Id and the user, and simultaneously encrypts the user password supported by the user. One or more encryption algorithms select one of the user-available encryption algorithms (such as HMAC-MD5), and return a Challenge Id response message to the NAS, which includes the assigned Challenge Id and the selected encryption algorithm (HMAC-MD5).

步骤 105 , NAS接收到 AAA服务器的 Challenge Id应答消息后,从 Challenge Id应答消息中获取所分配的 Challenge Id和选择的加密算法, 并将该 Challenge Id和选择的加密算法作为中继代理信息选项 (Relay Agent Information Option )添加至緩存的 DHCP Discover消息中发送给 DHCP服务器。  Step 105: After receiving the Challenge Id response message of the AAA server, the NAS obtains the assigned Challenge Id and the selected encryption algorithm from the Challenge Id response message, and uses the Challenge Id and the selected encryption algorithm as relay agent information options ( The Relay Agent Information Option is added to the cached DHCP Discover message and sent to the DHCP server.

步骤 106, DHCP服务器接收到 DHCP Discover消息后, 根据其中 的用户标识在地址池中选择 IP地址(在 IPv4中, 只分配一个 IP地址, 但是在 IPv6中, 可不限于一个 IP地址), 并从所述 DHCP Discover消息 的中继代理信息选项( Relay Agent Information Option )中获取 Challenge Id和选择的加密算法, 然后向 NAS发送 DHCP Offer消息, 该消息包含 选择的 IP地址、 Challenge Id和选择的加密算法。  Step 106: After receiving the DHCP Discover message, the DHCP server selects an IP address in the address pool according to the user identifier (in IPv4, only one IP address is assigned, but in IPv6, it is not limited to one IP address), and The Relay Agent Information Option of the DHCP Discover message acquires the Challenge Id and the selected encryption algorithm, and then sends a DHCP Offer message to the NAS, the message including the selected IP address, Challenge Id, and the selected encryption algorithm.

步驟 107, NAS将 DHCP Offer消息转发至 DHCP客户端。  Step 107: The NAS forwards the DHCP Offer message to the DHCP client.

步驟 108, DHCP客户端接收到 DHCP Offer消息后,从 DHCP Offer 消息中获取 Challenge Id和选择的加密算法, 并利用该 Challenge Id和选 择的加密算法对用户密码进行加密,并向 NAS发送 DHCP Request消息, 其中携带有用户标识、 Challenge Id和加密后的用户密码。 步骤 109, NAS收到 DHCP Request消息后,首先緩存该 DHCP Request 消息, 然后从 DHCP Request消息中获取用户标识, Challenge Id和加密 的用户密码, 然后向 AAA服务器发送认证请求 , 该认证请求中携带有 用户标识、 Challenge Id和加密后的用户密码。 Step 108: After receiving the DHCP Offer message, the DHCP client obtains the Challenge Id and the selected encryption algorithm from the DHCP Offer message, and encrypts the user password by using the Challenge Id and the selected encryption algorithm, and sends a DHCP Request message to the NAS. , which carries the user ID, Challenge Id, and encrypted user password. Step 109: After receiving the DHCP Request message, the NAS first caches the DHCP Request message, and then obtains the user identifier, Challenge Id, and the encrypted user password from the DHCP Request message, and then sends an authentication request to the AAA server, where the authentication request carries User ID, Challenge Id, and encrypted user password.

步驟 110, AAA服务器接收到认证请求消息后, 根据用户标识在数 据库中查找和该用户标识对应的用户密码。 如果找到匹配的用户密码, 则 AAA服务器使用认证请求中的 Challenge Id和选择的加密算法对查找 到的用户密码进行加密; 如果 AAA服务器计算得到的加密后的用户密 码和认证请求消息中携带的加密后的用户密码相同, 则认证通过, 否则 认证失败。如果认证成功 , AAA服务器向 NAS发送认证成功消息,否则, 结束该流程。  Step 110: After receiving the authentication request message, the AAA server searches for a user password corresponding to the user identifier in the database according to the user identifier. If a matching user password is found, the AAA server encrypts the found user password using the Challenge Id in the authentication request and the selected encryption algorithm; if the AAA server calculates the encrypted user password and the encryption carried in the authentication request message If the user password is the same, the authentication is passed, otherwise the authentication fails. If the authentication is successful, the AAA server sends an authentication success message to the NAS; otherwise, the process ends.

步骤 111 , NAS收到所述认证成功消息后 ,转发緩存的 DHCP Request 消息至 DHCP服务器。  Step 111: After receiving the authentication success message, the NAS forwards the cached DHCP Request message to the DHCP server.

步骤 112, DHCP服务器接收到 DHCP Request消息后,确认地址分 配和参数配置, 向 NAS返回 DHCP确认消息 (DHCP Ack ), 表示允许 用户使用分配的地址。  Step 112: After receiving the DHCP Request message, the DHCP server confirms the address allocation and parameter configuration, and returns a DHCP acknowledgement message (DHCP Ack) to the NAS, indicating that the user is allowed to use the allocated address.

步骤 113 , NAS转发所述 DHCP Ack消息给 DHCP客户端。  Step 113: The NAS forwards the DHCP Ack message to the DHCP client.

步骤 114, DHCP客户端接收所述的 DHCP Ack消息, 成功接入网 络。  Step 114: The DHCP client receives the DHCP Ack message and successfully accesses the network.

在如上流程中, DHCP客户端和 AAA服务器之间的加密算法的协 商是一个可选的过程, 该加密算法也可以不用协商, 而是直接由 AAA 服务器或 DHCP客户端中的一方通知给另一方, 但并不限于此。  In the above process, the negotiation of the encryption algorithm between the DHCP client and the AAA server is an optional process, and the encryption algorithm may be directly notified by the AAA server or one of the DHCP clients to the other party without negotiation. , but not limited to this.

例如, 如果由 DHCP客户端直接通知 AAA服务器其采用的加密算 法, 则在步骤 102 ~步骤 107中不需要携带用户支持的加密算法或选择 的加密算法, 而可在步骤 108中利用 Challenge Id和用户预先配置的加 密算法对用户密码进行加密, 并通过 DHCP Request消息将所采用的加 密算法通知给 AAA服务器。 For example, if the encryption algorithm used by the AAA server is directly notified by the DHCP client, the user-supported encryption algorithm or the selected encryption algorithm need not be carried in steps 102-107, and the Challenge Id and the user may be utilized in step 108. Pre-configured plus The secret algorithm encrypts the user password and notifies the AAA server of the adopted encryption algorithm through the DHCP Request message.

另外, 本发明实施例中, Challenge Id既可以由 AAA服务器产生, 也可以由 NAS或 DHCP服务器产生。  In addition, in the embodiment of the present invention, the Challenge Id may be generated by the AAA server or by the NAS or the DHCP server.

如果由 NAS产生, 则步骤 103和 104可仅用于加密算法的协商, 而不必向 AAA服务器请求 Challenge Id。而在步骤 105中由 NAS为用户 分配 Challenge Id, 建立 Challenge Id和用户之间的绑定关系, 并在 DHCP Discover消息中携带所述 Challenge Id发送至 DHCP服务器。如果 DHCP 客户端和 AAA服务器间也不需要进行加密算法的协商时, 则步骤 103 和 104可直接省略。  If generated by the NAS, steps 103 and 104 may be used only for negotiation of the encryption algorithm without having to request Challenge Id from the AAA server. In the step 105, the Challenge Id is allocated to the user by the NAS, and the binding relationship between the Challenge Id and the user is established, and the Challenge Id is carried in the DHCP Discover message and sent to the DHCP server. If the encryption algorithm negotiation is not required between the DHCP client and the AAA server, steps 103 and 104 can be omitted directly.

如果由 DHCP服务器产生 Challenge Id, 在协商加密算法的情况下 , 则步骤 106中 DHCP Offer消息中携带由 DHCP服务器产生的 Challenge Id, 而在步骤 101 ~ 105中不需要产生与携带 Challenge Id。 如果 DHCP 客户端和 AAA服务器间不需要进行加密算法的协商,则步骤 103和 104 可直接省略。 而还可以有其它的形式。  If the Challenge Id is generated by the DHCP server, in the case of negotiating the encryption algorithm, the DHCP Offer message carries the Challenge Id generated by the DHCP server in step 106, and the Challenge Id does not need to be generated and carried in steps 101-105. If the encryption algorithm negotiation is not required between the DHCP client and the AAA server, steps 103 and 104 can be omitted directly. There are other forms as well.

通过如上的用户接入认证过程, 解决了在传送密码时的安全问题, 用户只有根据 DHCP服务器返回的和用户绑定的 Challenge Id并利用加 密算法对密码进行加密后才能通过认证服务器的认证, 只有认证通过, 用户才可以真正的分配到 IP地址。 因此, 即使攻击者截取了用户端发出 的 DHCP Discover消息, 但由于 Challenge Id是由网络侧分配的, 攻击 者无法通过 Challenge Id和用户的绑定检查, 所以, 可以比较有效的防 止重发攻击。  Through the above user access authentication process, the security problem when transmitting the password is solved. The user can only pass the authentication of the authentication server according to the Challenge Id that is returned by the DHCP server and bound by the user and encrypted by the encryption algorithm. After the authentication is passed, the user can actually assign the IP address. Therefore, even if the attacker intercepts the DHCP Discover message sent by the client, since the Challenge Id is allocated by the network side, the attacker cannot check the binding between the Challenge Id and the user, so it can effectively prevent the retransmission attack.

另外, 本实施例还可以包括如下步骤: 步骤 115, 用户通过网络(如 Web、 FTP或其他方式)从网络侧获 取密钥 (包括共享密钥或其它密钥)或证书, 并在网络侧建立所述密钥 (或证书)与用户的绑定关系, 这样在 DHCP客户端重启 (例如关机重 启)后, 就可通过所述密钥或证书进行三层认证流程。 In addition, this embodiment may further include the following steps: Step 115: The user obtains a key (including a shared key or other key) or a certificate from the network side through a network (such as Web, FTP, or other means), and establishes the key (or certificate) and the user on the network side. Binding relationship, so that after the DHCP client restarts (for example, shutdown and restart), the three-layer authentication process can be performed through the key or certificate.

由于使用加密算法(如 HMAC— MD5算法, 但并不限于此)加密进 行认证是一种弱认证方法, 用户也可直接在第一次启动之前通过配置 (或其他带外方式)或扩展认证协议 EAP等方式从网络侧获取证书或密 钥来实现强认证。 ,  Since encryption is used (such as HMAC-MD5 algorithm, but not limited to this), encryption is a weak authentication method, and users can directly configure (or other out-of-band methods) or extend the authentication protocol before the first startup. EAP and other methods obtain a certificate or key from the network side to achieve strong authentication. ,

本发明实施例的利用证书或密钥通过 DHCP进行强认证的过程如图 2所示, 包括:  The process of performing strong authentication by using a certificate or a key through DHCP in the embodiment of the present invention is as shown in FIG. 2, and includes:

步骤 201 , 用户端设备(即 DHCP客户端)通过用户输入的方式获 取用户的用户名和密码, 如可以通过在用户端设备上弹出窗口, 提示用 户输入用户名和密码, 当然也可采用其它可替代方式。  Step 201: The user equipment (that is, the DHCP client) obtains the user name and password of the user by using a user input manner, for example, by popping up a window on the user equipment, prompting the user to input the user name and password, and of course, other alternative methods may also be adopted. .

步骤 202, DHCP客户端广播 DHCP Discover消息, 消息中携带用 户标识和经过密钥 (或证书)加密后的用户密码。  Step 202: The DHCP client broadcasts a DHCP Discover message, where the message carries the user identifier and the user password encrypted by the key (or certificate).

该密钥 (或证书) 可以是在用户成功接入网络后通过网络 ( Web, FTP等)获取, 或者可直接在第一次启动之前通过配置(或其他带外方 式 )或扩展认证协议 EAP等方式从网络侧获取, 网络侧在为用户分配密 钥 (或证书的) 同时建立密钥 (或证书)与用户的绑定关系。  The key (or certificate) may be obtained through the network (Web, FTP, etc.) after the user successfully accesses the network, or may be configured (or other out-of-band method) or extended authentication protocol EAP directly before the first startup. The mode is obtained from the network side, and the network side allocates a key (or a certificate) to the user and establishes a binding relationship between the key (or certificate) and the user.

步骤 203, NAS 收到 DHCP Discover消息后緩存该消息, 从 DHCP Discover中获取用户标识和经过加密的用户密码,向 AAA服务器发送认 证请求消息, 其中携带有用户标识和经过加密的用户密码。  Step 203: After receiving the DHCP Discover message, the NAS caches the message, obtains the user identifier and the encrypted user password from the DHCP Discover, and sends an authentication request message to the AAA server, where the user identifier and the encrypted user password are carried.

步骤 204, AAA服务器接收所述的认证请求消息, 从认证请求消息 中提取用户标识和经过加密的用户密码, 然后根据 AAA服务器中与该用 户对应的密钥对加密后的用户密码进行解密, 同时在数据库中查找用户 密码, 判断解密后的用户密码和找到的用户密码是否相同, 如果相同则 认证成功, 否则认证失败。 Step 204: The AAA server receives the authentication request message, extracts the user identifier and the encrypted user password from the authentication request message, and then decrypts the encrypted user password according to the key corresponding to the user in the AAA server, and simultaneously decrypts the encrypted user password. Find users in the database Password, judge whether the decrypted user password and the found user password are the same. If they are the same, the authentication is successful, otherwise the authentication fails.

步骤 205, 如果认证成功, NAS转发緩存的 DHCP Discover消息给 DHCP服务器。  Step 205: If the authentication is successful, the NAS forwards the cached DHCP Discover message to the DHCP server.

步驟 206, DHCP服务器接收处理 DHCP Discover消息,返回 DHCP Offer消息。  Step 206: The DHCP server receives the DHCP Discover message and returns a DHCP Offer message.

步骤 207, NAS转发所述 DHCP Offer消息至 DHCP客户端。  Step 207: The NAS forwards the DHCP Offer message to the DHCP client.

步骤 208, DHCP客户端接收处理 DHCP Offer消息, 返回 DHCP Request消息。  Step 208: The DHCP client receives and processes the DHCP Offer message, and returns a DHCP Request message.

步骤 209, NAS转发 DHCP Request消息给 DHCP服务器。  Step 209: The NAS forwards the DHCP Request message to the DHCP server.

步骤 210, DHCP服务器接收处理 DHCP Request消息, 返回 DHCP Ack消息。  Step 210: The DHCP server receives and processes the DHCP Request message, and returns a DHCP Ack message.

步骤 211, NAS转发 DHCP Ack消息给 DHCP客户端。  Step 211: The NAS forwards the DHCP Ack message to the DHCP client.

步骤 212, DHCP客户端接收所述的 DHCP Ack消息, 成功接入网 络。  Step 212: The DHCP client receives the DHCP Ack message and successfully accesses the network.

本实施例中, 用户可以直接使用密钥或证书对用户密码进行加密, 然后 AAA服务器查找对应的密钥或证书对加密后的用户密码进行解密, 通过判断解密后的用户密码和保存的用户密码是否相同来实现对用户 的认证。 该密钥或证书的获得可以是在用户成功接入网络后用户通过网 絡获取, 也可以是通过配置方式(或者其他的带外方式)或 EAP方式在 认证之前获取。 该方法由于在 AAA服务器采用和用户对应的密钥或证 书对用户密码进行解密来实现对用户的认证, 因此能够有效的防止非法 用户的攻击。  In this embodiment, the user can directly encrypt the user password by using a key or a certificate, and then the AAA server searches for the corresponding key or certificate to decrypt the encrypted user password, and determines the decrypted user password and the saved user password. Whether it is the same to achieve the authentication of the user. The key or the certificate can be obtained by the user after the user successfully accesses the network, or can be obtained before the authentication by using the configuration mode (or other out-of-band method) or EAP mode. This method can authenticate the user by decrypting the user password by using the key or certificate corresponding to the user in the AAA server, so that the attack of the illegal user can be effectively prevented.

如上各实施例中的用户认证过程不仅适用于 DHCPv4认证, 同样适用 于 DHCPv6认证。 本发明实施例采用网络侧分配的随机数对用户密码进行加密, 使密 码传递更为安全; 不需要特殊的客户端软件, 只要支持 DHCP协议就可 以; 认证以后分配 IP地址, 避免了 IP地址的浪费; 在网絡层上实现用 户认证; 认证服务器端存在用户和密钥 (或证书) 的绑定关系, 非法用 户不能获取正确的密钥 (或证书), 从而不能通过认证, 能有效的防止 非法用户的攻击。 The user authentication process in the above embodiments is applicable not only to DHCPv4 authentication, but also to DHCPv6 authentication. The embodiment of the invention encrypts the user password by using the random number assigned by the network side, so that the password transmission is more secure; no special client software is needed, as long as the DHCP protocol is supported; the IP address is assigned after the authentication, and the IP address is avoided. Waste; implement user authentication on the network layer; the authentication server has a binding relationship between the user and the key (or certificate). The illegal user cannot obtain the correct key (or certificate), and thus cannot pass the authentication, which can effectively prevent illegal. User's attack.

以上具体实施方式仅用于说明本发明, 而非用于限定本发明。 凡在 本发明的精神和原则之内, 所做的任何修改、 等同替换、 改进等, 均应 包含在本发明的保护范围之内。  The above specific embodiments are merely illustrative of the invention and are not intended to limit the invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权利要求书 Claim 1、 一种用户接入认证的方法, 其特征在于, 用于在用户端使用动 态主机配置协议 DHCP服务器分配的 IP地址接入网络之前对所述用户 端进行认证, 包括:  A method for user access authentication, which is characterized in that: the user is authenticated before the user accesses the network by using the IP address assigned by the dynamic host configuration protocol DHCP server, including: 所述用户端从网络侧获取加密信息,使用所述加密信息对用户密码进 行加密运算, 并将加密后的用户密码传送至网络侧;  The user end acquires the encrypted information from the network side, encrypts the user password by using the encrypted information, and transmits the encrypted user password to the network side; 所述网絡侧根据所述加密信息和预先存储的用户密码对所述用户 端进行认证。  The network side authenticates the user end according to the encrypted information and a pre-stored user password. 2、 根据权利要求 1 所述的方法, 其特征在于, 所述用户端从网络 侧获取加密信息包括:  2. The method according to claim 1, wherein the acquiring, by the user end, the encrypted information from the network side comprises: 所述用户端从网络侧获取随机数。  The UE obtains a random number from the network side. 3、 根据权利要求 2所述的方法, 其特征在于, 所述用户端从网络 侧获取随机数, 包括:  The method according to claim 2, wherein the acquiring, by the user end, the random number from the network side includes: 认证服务器产生所述随机数,并将所述随机数发送给 DHCP服务器; 所述 DHCP服务器通过 DHCP提供消息将所述随机数下发给所述用 户端。  The authentication server generates the random number and sends the random number to the DHCP server. The DHCP server sends the random number to the user by using a DHCP providing message. 4、 根据权利要求 2所述的方法, 其特征在于, 所述用户端从网络 侧获取随机数, 包括:  4. The method according to claim 2, wherein the acquiring, by the user end, the random number from the network side comprises: 网络接入服务器产生所述随机数, 并通过 DHCP发现消息将所述随 机数发送至 DHCP服务器;  The network access server generates the random number, and sends the random number to the DHCP server through a DHCP discovery message; 所述 DHCP服务器通过 DHCP提供消息将所述随机数下发给所述用 户端。  The DHCP server sends the random number to the user through a DHCP providing message. 5、 根据权利要求 2所述的方法, 其特征在于, 所述用户端从网络 侧获取随机数, 包括:  The method according to claim 2, wherein the acquiring, by the user end, the random number from the network side comprises: DHCP服务器产生所述随机数, 并通过 DHCP提供消息将所述随机 数下发给所述用户端。 The DHCP server generates the random number and provides the message by DHCP The number is sent to the client. 6、 根据权利要求 2所述的方法, 其特征在于, 所述用户端和网络 侧在认证过程中协商确定用于对用户密码进行加密的加密算法, 或者预 先设置所述加密算法。  The method according to claim 2, wherein the user end and the network side negotiate an encryption algorithm for encrypting a user password in an authentication process, or pre-set the encryption algorithm. 7、 根据权利要求 6所述的方法, 其特征在于, 所述用户端和网络 侧在认证过程中协商确定所述加密算法包括:  The method according to claim 6, wherein the determining, by the user end and the network side, the encryption algorithm in the authentication process comprises: 所述用户端将其支持的至少一种加密算法发送至网络接入服务器; 所述网络接入服务器发送携带有所述至少一种加密算法的请求至 认证服务器, 所述认证服务器从所述至少一种加密算法中选择一种加密 算法, 并将所选择的加密算法返回给所述网络接入服务器;  Transmitting, by the UE, the at least one encryption algorithm that it supports to the network access server; the network access server sends a request carrying the at least one encryption algorithm to the authentication server, where the authentication server is from the at least Selecting an encryption algorithm from an encryption algorithm, and returning the selected encryption algorithm to the network access server; 所述网络接入服务器通过 DHCP发现消息将所述选择的加密算法发 送至 DHCP服务器;  The network access server sends the selected encryption algorithm to a DHCP server through a DHCP discovery message; 所述 DHCP服务器通过 DHCP提供消息将所述选择的加密算法发送 给所述用户端。  The DHCP server sends the selected encryption algorithm to the client through a DHCP provisioning message. 8、 根据权利要求 3、 4或 5所述的方法, 其特征在于, 所述用户端 根据加密信息对用户密码进行加密运算, 并将加密后的用户密码传送至 网络侧包括:  The method according to claim 3, 4 or 5, wherein the user end encrypts the user password according to the encrypted information, and transmits the encrypted user password to the network side, including: 用户端利用所述随机数对用户密码进行加密运算,并通过 DHCP请求 消息将所述随机数和加密后的用户密码发送至所述网络接入服务器; 所述网络接入服务器接收所述 DHCP请求消息, 并将所述随机数和 加密后的用户密码携带在认证请求中发送至认证服务器。  The user end encrypts the user password by using the random number, and sends the random number and the encrypted user password to the network access server by using a DHCP request message; the network access server receives the DHCP request And sending the random number and the encrypted user password in the authentication request to the authentication server. 9、 根据权利要求 8 所述的方法, 其特征在于, 所述网络侧根据所 述加密信息和预先存储的用户密码对所述用户端进行认证包括:  The method according to claim 8, wherein the network side performs authentication on the user end according to the encrypted information and a pre-stored user password, including: 认证服务器根据利用所述随机数对预先存储的用户密码进行加密 运算, 将加密后的用户密码和认证请求中携带的加密后的用户密码进行 比较, 如果一致, 则认证通过。 The authentication server performs encryption operation on the pre-stored user password by using the random number, and performs the encrypted user password and the encrypted user password carried in the authentication request. For comparison, if they are consistent, the certification is passed. 10、 根据权利要求 9所述的方法, 其特征在于, 进一步包括: 所述用户端认证通过后, 从所述网络侧获取密钥或证书;  The method according to claim 9, further comprising: after the user end authentication, obtaining a key or a certificate from the network side; 在重认证或重启认证时, 所述用户端根据所述密钥或证书对用户密 码进行加密;  When re-authenticating or restarting the authentication, the user end encrypts the user password according to the key or the certificate; 认证服务器根据所述密钥或证书对加密后的用户密码进行解密, 比 较解密后的用户密码与认证服务器中预先存储的用户密码, 如果一致 , 则认证通过。  The authentication server decrypts the encrypted user password according to the key or the certificate, and compares the decrypted user password with the user password pre-stored in the authentication server. 11、 根据权利要求 1所述的方法, 其特征在于, 所述用户端从网络 侧获取加密信息包括:  The method according to claim 1, wherein the acquiring, by the user end, the encrypted information from the network side comprises: 所述用户端从所述网络侧获取密钥或证书。  The client obtains a key or certificate from the network side. 12、 根据权利要求 11所述的方法, 其特征在于:  12. The method of claim 11 wherein: 所述用户端通过网络、 带外方式或扩展认证协议获取所述密钥或证 书。  The client obtains the key or certificate through a network, an outband mode, or an extended authentication protocol. 13、 根据权利要求 11 所述的方法, 其特征在于, 所述用户端使用 所述密钥或证书对用户密码进行加密, 并将加密后的用户密码传送至所 述网络侧;  The method according to claim 11, wherein the user end encrypts the user password by using the key or the certificate, and transmits the encrypted user password to the network side; 所述网络侧根据加密信息和预先存储的用户密码对所述用户端进 行认证包括:  The network side authenticates the user terminal according to the encrypted information and the pre-stored user password, including: 认证服务器利用所述密钥或证书对所述加密后的用户密码进行解 密, 比较解密后的用户密码与认证服务器预先存储的用户密码, 如果一 致, 则认证通过。  The authentication server decrypts the encrypted user password by using the key or the certificate, and compares the decrypted user password with the user password pre-stored by the authentication server, and if so, the authentication passes. 14、 一种用户接入认证系统, 其特征在于, 包括:  14. A user access authentication system, comprising: 网络侧设备, 用于下发加密信息, 并根据所述加密信息和预先存储 的用户密码对用户端设备进行认证, 认证通过后, 为用户端设备分配 IP 地址; The network side device is configured to send the encrypted information, and authenticate the user equipment according to the encrypted information and the pre-stored user password. After the authentication is passed, the user equipment is allocated an IP address. address; 所述用户端设备, 用于使用所述网络侧设备下发的加密信息对用户 密码进行加密, 将加密后的用户密码传送至所述网络侧设备, 并在认证 通过后, 使用所述网络侧设备分配的 IP地址接入网络。  The user equipment is configured to encrypt the user password by using the encrypted information sent by the network side device, and transmit the encrypted user password to the network side device, and use the network side after the authentication is passed. The IP address assigned by the device is connected to the network. 15、 根据权利要求 14 所述的系统, 其特征在于, 所述加密信息为 随机数; 所述网络侧设备包括:  The system according to claim 14, wherein the encrypted information is a random number; the network side device comprises: 认证服务器, 产生所述随机数, 将所述随机数下发给所述用户端设 备, 并根据所述随机数和预先存储的用户密码对用户端设备进行认证; DHCP服务器, 为所述用户端设备分配 IP地址。  The authentication server generates the random number, and sends the random number to the user equipment, and authenticates the user equipment according to the random number and the pre-stored user password; the DHCP server is the user end The device assigns an IP address. 16、 根据权利要求 14所述的系统, 其特征在于, 所述加密信息为 随机数; 所述网络侧设备包括:  The system according to claim 14, wherein the encrypted information is a random number; the network side device comprises: 网络接入服务器, 产生所述随机数, 并将所述随机数下发给所述用 户端设备;  The network access server generates the random number, and sends the random number to the user equipment; 认证服务器, 接收用户端设备发送的加密后的用户密码, 并根据所 述随机数和预先存储的用户密码对用户端设备进行认证;  The authentication server receives the encrypted user password sent by the user equipment, and authenticates the user equipment according to the random number and the pre-stored user password; DHCP服务器, 为所述用户端设备分配 IP地址。  A DHCP server allocates an IP address to the client device. 17、 根据权利要求 14 所述的系统, 其特征在于, 所述加密信息为 随机数; 所述网络侧设备包括:  The system according to claim 14, wherein the encrypted information is a random number; the network side device comprises: DHCP服务器, 产生所述随机数, 将所述随机数下发给所述用户端 设备, 并为所述用户端设备分配 IP地址;  The DHCP server generates the random number, and sends the random number to the user equipment, and allocates an IP address to the user equipment; 认证服务器, 接收用户端设备发送的加密后的用户密码, 并根据所 述随机数和预先存储的用户密码对用户端设备进行认证。  The authentication server receives the encrypted user password sent by the user equipment, and authenticates the user equipment according to the random number and the pre-stored user password. 18、 根据权利要求 14所述的系统, 其特征在于, 所述用户端设备 和网络侧设备预先设置有用于对用户密码进行加密的加密算法。  The system according to claim 14, wherein the user equipment and the network side device are preset with an encryption algorithm for encrypting a user password. 19、 根据权利要求 15至 17任一项所述的系统, 其特征在于, 所述 用户端设备进一步用于将其支持的至少一种加密算法发送至认证服务 器; The system according to any one of claims 15 to 17, wherein The client device is further configured to send at least one encryption algorithm that it supports to the authentication server; 所述认证服务器进一步用于从所述至少一种加密算法中选择一种 加密算法, 并将所述选择的加密算法返回给所述用户端设备。  The authentication server is further configured to select an encryption algorithm from the at least one encryption algorithm, and return the selected encryption algorithm to the client device. 20、 根据权利要求 14所述的系统, 其特征在于, 所述的用户端设 备进一步用于在认证通过后从所述网络侧设备获取密钥或证书, 并在重 认证或重启认证时根据所述密钥或证书对用户密码进行加密;  The system according to claim 14, wherein the user equipment is further configured to acquire a key or a certificate from the network side device after the authentication is passed, and according to the re-authentication or restart authentication The key or certificate encrypts the user password; 所述网络侧设备进一步用于根据所述密钥或证书对加密后的用户 密码进行解密, 比较解密后的用户密码与预先存储的用户密码, 如果一  The network side device is further configured to decrypt the encrypted user password according to the key or the certificate, and compare the decrypted user password with the pre-stored user password, if one 21、 根据权利要求 14所述的系统, 所述加密信息为密钥或证书; 所述用户端设备用于使用所述密钥或证书对用户密码进行加密, 并将加 密后的用户密码传送至网络侧设备; The system according to claim 14, wherein the encrypted information is a key or a certificate; the user equipment is configured to encrypt the user password by using the key or the certificate, and transmit the encrypted user password to Network side device; 所述网络侧设备进一步用于根据所述密钥或证书对加密后的用户 密码进行解密, 比较解密后的用户密码与预先存储的用户密码, 如果一 致, 则认证通过。  The network side device is further configured to decrypt the encrypted user password according to the key or the certificate, compare the decrypted user password with the pre-stored user password, and if yes, the authentication passes. 22、 一种网絡侧设备, 其特征在于, 包括:  22. A network side device, comprising: 加密信息下发模块, 向用户端下发用于对所述用户端进行接入认证 的加密信息;  Encrypting the information sending module, and sending, to the user end, the encrypted information used for access authentication of the user end; 地址分配模块, 在用户端认证通过后, 为所述用户端分配 IP地址。 The address allocation module allocates an IP address to the client after the user end authenticates. 23、 根据权利要求 11所述的设备, 其特征在于, 所述加密信息下 发模块从外部获取所述加密信息或自己生成所述加密信息。 The device according to claim 11, wherein the encryption information issuing module acquires the encrypted information from the outside or generates the encrypted information by itself.
PCT/CN2007/001228 2006-08-14 2007-04-16 Method, system and apparatus for user access authentication Ceased WO2008022514A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200610115446.4 2006-08-14
CN2006101154464A CN101127600B (en) 2006-08-14 2006-08-14 A method for user access authentication

Publications (1)

Publication Number Publication Date
WO2008022514A1 true WO2008022514A1 (en) 2008-02-28

Family

ID=39095537

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/001228 Ceased WO2008022514A1 (en) 2006-08-14 2007-04-16 Method, system and apparatus for user access authentication

Country Status (2)

Country Link
CN (1) CN101127600B (en)
WO (1) WO2008022514A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2595082A1 (en) * 2011-10-18 2013-05-22 Huawei Device Co., Ltd. Method and authentication server for verifying access identity of set-top box

Families Citing this family (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101827106A (en) * 2010-04-29 2010-09-08 华为技术有限公司 DHCP safety communication method, device and system
CN103139136B (en) * 2011-11-22 2016-06-08 阿里巴巴集团控股有限公司 The management process of a kind of password and equipment
CN102663322B (en) * 2012-02-23 2015-06-24 深圳市乐讯科技有限公司 Method and apparatus for preventing user from cheating by hiding game maps
DE102012209445A1 (en) * 2012-06-05 2013-12-05 Robert Bosch Gmbh Method for secure transmission of safety critical function data between diagnosis tester and control device in control system in vehicle, involves synchronizing keys, and initiating access to client during coincidence of keys
CN102833746B (en) * 2012-09-14 2015-11-25 福建星网锐捷网络有限公司 User's re-authentication method and access controller
CN103108037B (en) * 2013-01-22 2015-12-02 华为技术有限公司 A kind of communication means, Web server and Web communication system
CN103391292A (en) * 2013-07-18 2013-11-13 百度在线网络技术(北京)有限公司 Mobile-application-oriented safe login method, system and device
CN103532987B (en) * 2013-11-11 2016-06-29 国家电网公司 A kind of guard method preventing non-authentication computer equipment from accessing corporate intranet and system
CN103685257B (en) * 2013-12-06 2018-04-06 上海斐讯数据通信技术有限公司 A kind of DHCP network protection system and method
GB2526367A (en) * 2014-05-23 2015-11-25 Ibm Password-based authentication
CN105323207A (en) * 2014-06-06 2016-02-10 南京理工大学常熟研究院有限公司 Web portal security login method preventing AP intercepting
CN105306200B (en) * 2014-06-09 2019-06-21 腾讯科技(深圳)有限公司 The encryption method and device of network account password
CN105721153B (en) * 2014-09-05 2020-03-27 三星Sds株式会社 Key exchange system and method based on authentication information
CN105991578A (en) * 2015-02-12 2016-10-05 中兴通讯股份有限公司 Method and device for implementing login of terminal
CN106161400B (en) * 2015-04-22 2020-08-11 腾讯科技(深圳)有限公司 Communication message security detection method, device and system
CN106209793A (en) * 2016-06-30 2016-12-07 上海斐讯数据通信技术有限公司 A kind of auth method and checking system
CN106357486A (en) * 2016-08-18 2017-01-25 杭州迪普科技有限公司 Access method and device for network users
CN107786423B (en) * 2016-08-29 2019-10-29 北京融聚世界网络科技有限公司 A kind of method and system of instant messaging
CN107888460B (en) * 2016-09-29 2020-12-11 新华三技术有限公司 Method and device for accessing client to network
CN106506479B (en) * 2016-10-24 2019-09-13 北京明华联盟科技有限公司 Method, system and the client of cipher authentication, server and smart machine
CN107070648B (en) * 2017-03-01 2020-09-18 北京信安世纪科技股份有限公司 Key protection method and PKI system
CN107135069A (en) * 2017-04-24 2017-09-05 努比亚技术有限公司 Remote assistance control method and system
CN107426339B (en) * 2017-09-04 2020-05-26 珠海迈越信息技术有限公司 Access method, device and system of data connection channel
WO2020146998A1 (en) * 2019-01-15 2020-07-23 Zte Corporation Method and device for preventing user tracking, storage medium and electronic device
CN112788028A (en) * 2021-01-10 2021-05-11 何顺民 Method and system for acquiring network parameters
CN112866247A (en) * 2021-01-18 2021-05-28 杭州中网智慧科技有限公司 Identity authentication method and device
CN114024708A (en) * 2021-09-23 2022-02-08 广东电力信息科技有限公司 A Network Border Protection Method Based on Intrusion Detection Technology
CN114944927B (en) * 2022-03-17 2023-08-08 国网浙江省电力有限公司杭州供电公司 Portal authentication-based client-free mutual exclusion access platform
CN115333803B (en) * 2022-07-27 2024-12-27 中国电信股份有限公司 User password encryption processing method, device, equipment and storage medium
CN116132163B (en) * 2023-02-10 2024-08-02 南京百敖软件有限公司 Method for realizing device limiting local area network fence by using DHCP protocol
CN118101221A (en) * 2024-04-25 2024-05-28 北京隐算科技有限公司 Password authentication method, system, equipment and medium based on operation transformation implication

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567294A (en) * 2003-06-14 2005-01-19 华为技术有限公司 User certification method
US20050027868A1 (en) * 2003-07-31 2005-02-03 International Business Machines Corporation Method and apparatus for authenticated network address allocation
US6895511B1 (en) * 1998-10-29 2005-05-17 Nortel Networks Limited Method and apparatus providing for internet protocol address authentication
US20060036733A1 (en) * 2004-07-09 2006-02-16 Toshiba America Research, Inc. Dynamic host configuration and network access authentication
CN1741448A (en) * 2004-08-25 2006-03-01 国际商业机器公司 Method and system for client computer self health check

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1248447C (en) * 2002-05-15 2006-03-29 华为技术有限公司 Broadband network access method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6895511B1 (en) * 1998-10-29 2005-05-17 Nortel Networks Limited Method and apparatus providing for internet protocol address authentication
CN1567294A (en) * 2003-06-14 2005-01-19 华为技术有限公司 User certification method
US20050027868A1 (en) * 2003-07-31 2005-02-03 International Business Machines Corporation Method and apparatus for authenticated network address allocation
US20060036733A1 (en) * 2004-07-09 2006-02-16 Toshiba America Research, Inc. Dynamic host configuration and network access authentication
CN1741448A (en) * 2004-08-25 2006-03-01 国际商业机器公司 Method and system for client computer self health check

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2595082A1 (en) * 2011-10-18 2013-05-22 Huawei Device Co., Ltd. Method and authentication server for verifying access identity of set-top box
US8832727B2 (en) 2011-10-18 2014-09-09 Huawei Device Co., Ltd. Method and authentication server for verifying access identity of set-top box

Also Published As

Publication number Publication date
CN101127600A (en) 2008-02-20
CN101127600B (en) 2011-12-07

Similar Documents

Publication Publication Date Title
WO2008022514A1 (en) Method, system and apparatus for user access authentication
US8046577B2 (en) Secure IP access protocol framework and supporting network architecture
CN101061656B (en) Wireless network credential provisioning
JP3863852B2 (en) Method of controlling access to network in wireless environment and recording medium recording the same
CN100563158C (en) Network access control method and system
KR100759489B1 (en) Method and appratus for security of ip security tunnel using public key infrastructure in a mobile communication network
CN101651682B (en) Method, system and device of security certificate
US20100122338A1 (en) Network system, dhcp server device, and dhcp client device
WO2008034319A1 (en) Authentication method, system and device for network device
CA2414044C (en) A secure ip access protocol framework and supporting network architecture
CN105007579A (en) Wireless local area network access authentication method and terminal
JP2006086907A (en) Setting information distributing apparatus, method, program, medium, and setting information receiving program
WO2014101449A1 (en) Method for controlling access point in wireless local area network, and communication system
WO2015196441A1 (en) Configuration file acquisition method, apparatus and system
WO2014176997A1 (en) Method and system for transmitting and receiving data, method and device for processing message
EP1779595B1 (en) Method for enrolling a user terminal in a wireless local area network
CN101471767B (en) Method, equipment and system for distributing cipher key
CN102231725A (en) Method, equipment and system for authenticating dynamic host configuration protocol message
EP1755271B1 (en) A method for realizing the synchronous authentication among the different authentication control devices
CN100591013C (en) Authentication method and authentication system
WO2014044098A1 (en) Wlan user fixed network access method and system
CN101471934A (en) Bidirectional encipher and identification authentication method of dynamic host configuration protocol
WO2013004104A1 (en) Single sign-on method and system
CN1658553A (en) A Strong Authentication Method Using Public Key Cryptography Algorithm Encryption Mode
CN111416824A (en) Network access authentication control system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07720801

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 07720801

Country of ref document: EP

Kind code of ref document: A1